Criminals change DNS servers on routers to steal money

The Polish Computer Emergency Response Team reports criminals modifying the DNS servers in vulnerable routers. This makes them capable of man-in-the-middle attacks, a tactic that the criminals use to steal money from internet banking.

The case came to a head in late 2013 when the Polish CERT received reports of iPhone users dealing with counterfeit banking sites. Further investigation revealed that there was no malware on iOS, but that the victims’ routers had been tampered with. By changing the DNS server to an address of a server owned by the cyber criminals, they were able to lure Polish Internet users to fake websites.

The criminals presumably used vulnerabilities in routers to modify the DNS servers, although the Polish CERT does not rule out the possibility that weakly secured login details or default passwords were also used. The security organization also does not report which brands or types of routers have been hacked.

Although the criminals managed to get money with additional malware, the man-in-the-middle attack was not completely invisible. During the process, for example, traffic was partly sent via http and not via https, which can cause the browser to sound an alarm. By fiddling with domain names and including ‘ssl’ in the address, for example, the criminals tried to cover this up for less experienced internet users.